The GDPR (General Data Protection Regulation) is a significant update to European Union privacy legislation, replacing the 1995 Data Protection Directive, enhancing individual privacy protections and placing new requirements on businesses collecting and handling data.
Sampler is fully committed to GDPR compliance in advance of the May 25, 2018 deadline. This page provides a summary of our compliance activities for customers, partners, and consumers.
Sampler began its GDPR-compliance activities in December 2017, a full 6 months before the deadline, to ensure enough time was given for a thorough compliance review and implementation process. Here’s a summary of where we’re at today:
The product and process changes we have identified for GDPR compliance are:
Based on our internal assessment and review by outside counsel, we believe these changes will fully address our GDPR obligations and give our customers and partners the information they need to fulfill their own compliance obligations.
GDPR allows cross border data transfers without further authorization to countries recognized as possessing adequate personal data protections, such as Canada, and to U.S. companies certified under the EU-US Privacy Shield framework.
Sampler is a Canadian company hosted at Amazon Web Services US-East (N. Virginia), and Amazon is a Privacy Shield-certified company. Accordingly, the transfer of data between our hosting facility and EU countries is GDPR compliant. More information about Amazon’s compliance can be found here.
Under the GDPR, a Data Controller is an entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor is an entity that processes personal data on behalf of the Data Controller. Sampler embodies both roles in the operation of our Sampling programs.
The consumer has a single Sampler account across all of the Sampler programs they participate in with our customers and partners. Sampler determines the policies and procedures to use and protect this data. Consequently, it is the Data Controller for this account.
Consumers may also opt-in to share information from their Sampler account with our customer and partners for remarketing purposes. The customer or partner determine the uses and protection of this data and is its Data Controller, and Sampler is the Data Processor facilitating the data transfer.
The GDPR does not set any fixed data retention period. Article 5(e) of the regulation simply requires that personal data be kept for no longer than is necessary for the purposes for which it is processed.
Because we maintain a single Sampler account for consumers, which they may use in any program we power, the necessary retention period is not limited to any specific program’s availability window. Rather, we will be providing consumers themselves the ability to access, rectify, download and delete all profile information at any time within their Sampler account portal. Further, consumers will be promoted to review their profile information annually.